Deutsche Version
28
Jan
2025
News
DORA and NIS-2 - How we protect our customers
As a development partner for secure software and an operator of critical infrastructure, we bear great responsibility for the security, resilience and availability of our products and services.
Although we already offer our customers a very high standard of security, we must constantly take further measures to protect against attacks and ensure the usual high availability.
A1 Digital organises webinars at regular intervals to explain the most important EU regulations and discuss who is affected by the directives, what obligations arise from them, but also what opportunities arise from them.
In the first part of this webinar series, Sarah Lanzanasto and Istvan Deak, two of our experts, will talk about their hands-on experience with the implementation of the DORA and NIS-2 directives.
DORA
DORA, short for "Digital Operational Resilience Act", is an EU regulation that has been in force since 17 January 2025 and regulates cyber security, ICT risks and digital operational resilience. The regulation is intended to make a significant contribution to strengthening the European financial market against cyber risks and information and communication technology (ICT) incidents.
Requirements for companies within the framework of DORA
- Governance and control framework for effective risk management
- Processes for classifying, reporting and managing ICT incidents
- Checking digital resilience using frameworks and penetration tests
- Third-party risk management for external service providers and suppliers
- Exchange of threat intelligence data between companies
The DORA directive applies to companies in the financial sector as well as service providers and suppliers to this sector.
NIS-2
NIS-2, short for "The Network and Information Security Directive", is an EU directive that has been in force since 16 January 2023 and contains measures for a high common level of cybersecurity in the Union. It is a revised version of the existing NIS-1 directive and is intended to modernise the existing scope in light of increasing digitalisation and ever-growing threats to cybersecurity.
Essentially, the NIS-2 guideline is based on existing cybersecurity functions.
- Identify - analyse and assess risks
- Protect - build effective protection mechanisms
- Detect - recognise anomalies
- Respond - react to incidents and initiate corrective measures
- Recover - structured recovery and analysis
DORA implementation in practice - "Lessons learnt"
One of our focal points at World Direct is the development of software for the financial sector. However, we not only develop, but also operate these highly available systems in the highly secure data centres of our parent company A1 Telekom Austria.
As the EU views the security of the financial system not only from the perspective of banks and financial service providers, but also considers the entire supply chain, we as a service provider are also directly affected by DORA and NIS-2.
As an ICT service provider, the NIS-2 aspects affect our entire company, even outside the financial sector. Compliance with these guidelines has been part of our everyday practice for years.
In the area of DORA, we have already dealt very intensively with the individual aspects and their impact on our range of services. In doing so, we have gained valuable experience and insights that we would like to share here.
Who has what obligations?
One of the biggest challenges is to understand the scope and complexity of the DORA Directive. Although DORA specifically addresses the financial sector, we as a critical ICT service provider are also affected to the same extent and have to deal with it. It was important for us to find out which framework conditions we actually have to fulfil as a service provider and where we can only support our customers in the financial sector without being the addressee of the guidelines ourselves. This aspect has a major impact on both the technical implementation and the contractual structure.
Contractual aspects
We have looked at the DORA Directive from two angles. Firstly, we ask ourselves whether we are the addressee of the regulation or whether it is the financial services provider and therefore does not fall directly under our obligations. If we are the addressee, we check whether this requirement is already contractually regulated or must be included in a new DORA supplementary agreement. A clear agreement with the customer is also essential here in order to prevent both parties from drawing up draft contracts in advance and not coordinating them. This prevents unnecessary additional time and costs.
Organisational framework conditions
At a second level, we need to check whether we are already implementing a regulation in practice or whether we need to implement it again. Internally, we then ask ourselves which of our departments provides this service and who is responsible for its implementation. We then check the additional work involved to see whether we can pass these additional costs on to the customer.
The time factor
As a critical ICT service provider, you have to plan time. Implementing the DORA guidelines cannot be done "on the side". Preparations must be company-wide and a great deal of coordination is usually required between the individual units, such as the individual specialist departments, Legal, HR and Finance - right from the start.
DORA and NIS-2 separately?
We are affected by both directives and read the requirements side by side - primarily in order to utilise synergies. This allows us to implement relevant requirements together instead of doing twice the work. As we are also aiming for ISO 2701 certification, we see a lot of congruent tasks in the area of physical security requirements and therefore little additional work for DORA.
